Currently, Win2000 Server is one of the more popular server operating systems, but it is not easy to configure Microsoft's operating system. This article tries to conduct a preliminary discussion on the security configuration of Win2000 Server. First, customize your own WIN2000 Server: 1. Version selection: Win2000 has a variety of languages, for us, you can choose English or Simplified Chinese version, I strongly recommend that you must use the English version with your language is not an obstacle. To know, Microsoft's product is known in Bug & Patch, the Chinese version of the BUG is far more than English version, and the patch will generally be late for at least half a month (that is, general Microsoft announced your machine after your machine) There will be half a month in no protection) 2. Customization of components: Win2000 is installed by default, but it is this default installation is extremely dangerous (Mitnik said, he can enter any server installed, I don't dare to be so Said, if your host is Win2000 Server's default installation, I can tell you, you are dead), you should know what services do you need, and just install the service you really need, according to safety principles, least service Minimum permissions = maximum security. A typical web server requires the minimum component selection is: only IIS's COM Files, IIS Snap-in, WWW Server components. If you really need to install other components, please carefully, especially: Indexing Service, FrontPage 2000 Server Extensions, Internet Service Manager (HTML). Hazardous services. 3. Managing applications: Choosing a good remote management software is a very important thing, not only security requirements, but also the need for application. Win2000 Terminal Service is a remote control software based on RDP (Remote Desktop Protocol). His speed is fast, easy to operate, and is more suitable for regular operation. However, Terminal Service also has its shortcomings. Because it is using a virtual desktop, add Microsoft programming unscrupulous, when you use Terminal Service to install software or restarted the server, the server, often, often There is a crying phenomenon, for example: using the Terminal Service reconfers Microsoft's authentication server (Compaq, IBM, etc.) may directly shut down. So, in order to be safe, I suggest you come with a remote control software as auxiliary, and Terminal Service complement each other, like Pcanywhere is a good choice. Second, properly install WIN2000 Server: 1. Distribution of the partition and logical disk, some friends are divided into a logical disk in order to save things, all the software is installed in C, which is very bad, it is recommended to establish a minimum of two partitions, a system partition, An application partition, because Microsoft's IIS often has a leak source / overflowing vulnerability, if the system and IIS are placed in the same drive causes the leakage of the system file or even the invader remote acquisition admin.
The recommended security configuration is to build three logical drives. The first larger than 2G, used to install the system and important log files, the second put IIS, the third place FTP, so regardless of IIS or FTP out of security vulnerabilities Will directly affect the system directory and system files. To know that IIS and FTP are serviced, and it is more prone to problems. Separate IIS and FTP mainly to prevent intruders from running and run from IIS. (This may lead to the distress of program developers and editing, taking him, anyway, you are an administrator) 2. Selection of installation sequence: Don't think: What is important? As long as you have installed, how to install it. Wrong! There are several orders in the installation: First, when to access the network: Win2000 has a vulnerability in installation, after you enter the Administrator password, the system has established a share of Admin $, but did not use You just entered the password to protect it. This situation has continued until you start again. During this time, anyone can enter your machine through Admin $; at the same time, as long as the installation is completed, all services will run automatically At this time, the server is full of vulnerabilities, which is very easy to enter, so it must not access the host before fully installed and configured Win2000 Server. Second, the installation of the patch: The installation of the patch should be after all applications are installed, because the patch is often replaced / modifies some system files, if the patch is installed first, it is possible to cause the patch to do not play the effect. For example: IIS's hotfix requires that each change of IIS is required to install three. Security Configuration Win2000 Server: Even if Win2000 Server is properly installed, there are still a lot of vulnerabilities, but also need to make further details. 1. Port: The port is a logical interface connected to the computer and external network. It is also the first barrier of the computer. The port configuration correctly affects the security of the host. In general, only the port you need to use will be safe, configured The method is to enable TCP / IP filtering in the NIC attribute -TCP / IP-Advanced-Option -TCP / IP filter, but for the Win2000 port filtering, there is a bad feature: can only specify which ports, can not specify Which ports are closed, so that users who need to open a large number of ports are more painful.
2. IIS: IIS is the most vulnerability in Microsoft components. Average two or three months will have a vulnerability, and Microsoft's IIS default installation is really caught. Therefore, IIS configuration is our focus. Now everyone follows me. Get up: First, remove the C disk, what INETPUB directory is completely deleted, build a inetpub in D disk (if you don't assure the default directory name, you can remember) Point the main directory in the IIS manager. D: / inetpub; Second, the default Scripts and other virtual directories in the IIS installation are deleted (the source of sin, forget http://www.target.com/scripts/..
